UPDATE: As of 4AM Pacific, on November 3rd, we’ve received various reports of another related outbreak of exploited sites on GoDaddy. We’re currently researching the issue and will provide updated scripts if necessary. Please comment below if you have been affected, or if you have any information on the exploit.
Just a quick update to this blog post: More Attacks – insomniaboldinfocom.com.
We posted a few days ago that attackers were using insomniaboldinfocom.com to spread malware to multiple web sites. Today, they changed domains and are targeting GoDaddy sites using insomniaboldinfoorg.com.
The following domains/IP addresses are being used to spread the attack:
All the sites we’ve seen so far have the following code added to all PHP files:
Which is basically just the eval(base64_decode encoded. What is interesting is that this site is hosted at 188.8.131.52, which was used on previous attacks by the “Hilary Kneber” group, so we think they are all related:
Clean Up Action
The following script should clean up any infected site:
Updated 10/31/10 14:25 Pacific.
If you don’t have SSH access, download this file to your desktop: GoDaddy Fix 10/31/10
Once you have the file downloaded, rename gdd-fix_php.txt to gdd-fix_php.php
Upload fix file to your site via FTP/sFTP, then open in your browser (Example: http://yoursite.com/gdd-fix_php.php)
This script will take a few minutes to complete, but will scan your whole site and remove the malware entries.
For old exploits please check out our Simple Cleanup Solution
If you need help cleaning up your site, contact us at firstname.lastname@example.org or at http://sucuri.net